Authentication Types - SAML
WARNING:
With the SAML authentication type enabled, all deep-links will attempt to validate against SAML service, potentially redirecting the user to a SAML identity provider log in page. All users should log into the top-level Web FQDN and only use deep-links after logging in.
Form Fields
-
Name - The name of the authentication profile.
-
Status - The status of the authentication profile.
-
Settings (Identity Provider)
-
Entity ID - A unique identifier for your SAML enabled IDP.
-
Single SignOn Service - An endpoint on your IDP used to receive incoming authentication requests, process and return the user authenticated.
-
Single Logout Service - An endpoint on your IDP to receive incoming logout requests and send logout responses.
-
Certificate - Certificate data.
-
NameID Format - The expected format of the name id element of the SAML response. This must match the username in Unified Assurance.
-
-
Settings (Service Provider for Internal Presentation) - These fields are read-only in Unified Assurance and will be added to your Identity Provider.
-
Entity ID - A unique identifier for your SAML enabled SP.
-
Assertion Consumer Service - An endpoint for the IDP to send an authenticated user.
-
Single Logout Service - An endpoint on the SP to send logout requests.
-
Certificate - Certificate data.
-
-
Settings (Service Provider for External Presentation) - These fields are read-only in Unified Assurance and will be added to your Identity Provider.
Note:
These settings will only be filled in if using an external presentation server, otherwise, they will be blank.
-
Entity ID - A unique identifier for your SAML enabled SP.
-
Assertion Consumer Service - An endpoint for the IDP to send an authenticated user.
-
Single Logout Service - An endpoint on the SP to send logout requests.
-
Certificate - Certificate data.
-
Best Practices
To set up SAML external authentication:
-
The values in the "Settings (Service Provider for (Internal/External) Presentation)" section should be given to your organization's SAML administrators for the back-end configuration.
Note:
When a shared Web FQDN is used in an environment, the IdP settings advertised in this UI will always point to the Web FQDN alias. Users must then use the Web FQDN for logging in. If a user enters the Host FQDN in the browser, SAML authentication will not work properly because the IdP server does not have the Host FQDN service provider entry. Other authentication types will work when the Host FQDN is used to access the environment.
-
The values in the "Settings (Identity Provider)" section should be provided from your organization's SAML administrators, including:
Note:
In other IdP configurations, it is possible that "Single SignOn Service" and "Single Logout Service" may have multiple entries, with each entry being a different link for different connection methods (or binding), like HTTP-SOAP, HTTP-POST, etc. Unified Assurance SAML only supports using the "HTTP-Redirect" method.
-
Entity ID
-
Single SignOn Service
-
Single Logout Service
-
Certificate
-
(Optional): NameID Format
-
-
Enter the values provided into the form, then click on the "Submit" button.
-
Restart the Unified Assurance web service:
systemctl restart assure1-web
-
Go to the "Users" UI and create new users or update existing ones to use the SAML authentication type:
-
Test authentication using the SAML user(s).